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Claims 

t 1 ] A rijndael block cipher apparatus comprising: 

a round operation unit for transforming a 128-bit input key into a 128-bit round 
key for encryption or decryption, and storing the 128-bit round key according to 
a value of a mode signal from a time when a round operation start signal, a round 
number signal and a bit selection signal for dividing the 128-bit input data into 
upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits are 
inputted after an encryption or decryption operation start signal and the mode 
signal are inputted, encrypting the 128-bit input data by dividing the 128-bit 
input data into the upper 64 bits and the lower 64 bits and by performing a round 
operation which is composed of transforms of shift_row, substitution, 
mixcokimn and add-round-key with respect to the divided upper 64 bits and 
lower b4 bits, respectively, and decrypting the 128-bit input data by dividing the 
128-bit input data into the upper 64 bits and the lower 64 bits and by performing 
a round operation which is composed of transforms of inverse-shift_row, inverse 
substitution, add-round-key and inverse mixcolumn with respect to the divided 
upper 64 bits and lower b4 bits, respectively; 

a round operation control unit for controlling the round operation of the round 
operation unit by transmitting the round operation start signal, the round number 
signal and the bit selection signal for dividing the 128-bit input data into the 
upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits to the 
round operation unit from a time when the encryption or decryption operation 
start signal and the mode signal are inputted; 

a 64-bit data register for storing intermediate encryption or decryption data of the 
upper 64-bit input data generated during each round operation performed by the 
round operation unit; and 

a 128-bit data register for storing intermediate encryption or decryption data of 
the lower 64-bit input data generated during each round operation performed by 
the round operation unit as its lower 64 bits, and storing the encryption or 
decryption data generated as a result of a last round operation and stored in the 
64-bit data register as its upper 64-bit data. 

The apparatus as claimed in claim 1, wherein the round operation unit comprises: 
a round key generation unit for transforming the 128-bit input key into the 
128-bit round key RK for encryption or decryption according to the value of the 
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mode signal inputted through a bus and storing the ,28-bi, round key in an 
■mental 128-bi. round key register if.be round operation star, signal and the 
round number signal are inputted from the round operation eontrol uni,- 
a sbift/i„verse-shif,.row transform unit for performing a bye-shift o, me upper 
64 btts and the .ower 64 bi B divided from me 128-bit input data inputted mrough 
fte bus by duTeren, numbers according ,„ me vaUe of me mode signal inputted 
through flte bus if me round operation star, signa. and the bi, Section signal aro 
mputted from me round operation control unit, and ourputting me by,e- S hif«ed 

cTllTd M ^ ,hn ' U8h 2 *" m ^ OU '" U ' of •** * 

conttolled accordmg to the valte of the bit selection signal- 

a substitution/inverse-subsumtion transform unit for performing a substitution or 
an tnverse snbsdturion of the upper 64-bi, data and the lower 64-bi, data 
ousted from me shift/inverse-snif^row transform unit using . s „ bslitution box 
(S-box) or an mverse-subsdttmon box (Si-box) that provides a o„e-by,e output 
with respect to a one-byte input; 

a to, demuiip-exer for outputting me upper 64-bi, da* or me lower 64-bi, data 
outputted from me subsdttttioa/inve.e-subsdttnion transform u „ it ^ either 
of* encryption on,pu, terminal and its decryption ou,pu, termina. according ,o 
the value of the mode signal; 

a n^x/mverse-mixcolurnn transfonn unit for performing a mixeolumn of the 
Zn^^ 

tenxunal of the first demuMplexer, or performing an inverse mixcoLmn of the 
upper 64-bit data or the lower 64-bit data that has been add- 
round-key-transformed; 

a second demtfiplexer for outputting the upper 64-bi, darn or me lower 64-bi, 
data outputted from me ndx/inverse-mixcobmn ttansfomr uni, mrough either of 
encrypuon output terminal and its deception ou,pu, terminal according to the 
valie of the mode signal; 

an add-round-key transform unit for performing an addition of me upper 64-bi, 
data or the lower 64-bi, data inputted mrough the decryption outpu, termina. of 
ft. to. detm^exeror ftrough the encryption output terminal of fte second 
demuhUexer ,o fte 128-bi, round key RK for encryption or decrypdon 
oulputted from fte round key generalion unit; and 

a ftird demt^exer for outputting fte upper 64-bi, data or fte lower 64-bi, data 
outputted from fte add-round-key transform uni, mrough either of ha encryption 
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output terminal and its decryption output terminal according to the value of the 
mode signal 

The apparatus as claimed in claim 1 or 2, wherein if the four-clock or three-clock 
round operation start signal is inputted from the round operation control unit to 
the round operation unit, the upper 64-bit data outputted from the substitution/ 
inverse-substitution transform unit to the first demultiplexer is stored in the 
64-bit data register, and the lower 64-bit data outputted is stored as lower 64-bit 
data of the 128-bit data register. 

The apparatus as claimed in claim 1 or 2, wherein if the four-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data outputted from the mix/ 
inverse-mixcokimn transform unit to the second demultiplexer is stored in the 
64-bit data register, and the lower 64-bit data outputted is stored as lower 64-bit 
data of the 128-bit data register. 

The apparatus as claimed in claim 1 or 2, wherein if the four-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data for encryption outputted from the 
add-round-key transform unit to the third demultiplexer is stored as upper 64-bit 
data of the 128-bit data register, and the lower 64-bit data for encryption is stored 
as lower 64-bit data of the 128-bit data register. 

The apparatus as claimed in claim 1 or 2, wherein if the four-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data for decryption outputted from the 
add-round-key transform unit to the third demultiplexer is stored in the 64-bit 
data register, and the lower 64-bit data for decryption is stored as lower 64-bit 
data of the 128-bit data register. 

The apparatus as claimed in claim 1 or 2, wherein if the four-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the inverse-mixcolumn-transformed upper 64-bit data 
outputted from the mix/inverse-mixcolumn transform unit to the second de- 
multiplexer is stored as upper 64-bit data of the 128-bit data register, and the 
inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit data 
of the 128-bit data register. 

The apparatus as claimed in claim 1 or 2, wherein if the three-clock round 
operation start signal is inputted from the round operation control unit to the 
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round operation unit, the upper 64-bit data for encryption inverse- 
mixcobmn-transformed and then outputted from the add-round-key transform 
unit to the third demultiplexer is stored in the 64-bit data register, and then if a 
last third clock becomes T, the upper 64-bit data for encryption is stored as 
upper 64-bit data of the 128-bit data register, and the lower 64-bit data for 
encryption is stored as lower 64-bit data of the 128-bit data register. 
The apparatus as claimed in claim 1 or 2, wherein if the three-clock round 
operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data add-round-key-transformed, inverse- 
mixcolumn-transformed, and then outputted from the mix/inverse-mixcolumn 
transform unit to the second demultiplexer is stored in the 64-bit data register, 
and then if a last third clock becomes T, the inverse-mixcolumn-transformed 
upper 64-bit data is stored as upper 64-bit data of the 128-bit data register, and 
the inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit 
data of the 128-bit data register. 
[10] The apparatus as claimed in claim 1 or 2, wherein if the two-clock round 

operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data for encryption shift_row-trasnformed, 
substitution-transformed, mixcolumn-transformed, and then outputted from the 
add-round-key transform unit to the third demultiplexer is stored in the 64-bit 
data register, and then if a last second clock becomes T, the upper 64-bit data for 
encryption is stored as upper 64-bit data of the 128-bit data register, and the 
lower 64-bit data for encryption is stored as lower 64-bit data of the 128-bit data 
register. 

[11] The apparatus as claimed in claim 1 or 2, wherein if the two-clock round 

operation start signal is inputted from the round operation control unit to the 
round operation unit, the upper 64-bit data inverse-shift_row-trasnformed, 
inverse-substitution-transformed, add-round-key-transformed, and then inverse- 
mixcokimn-transformed and outputted from the mix/inverse-mixcolumn 
transform unit to the second demultiplexer is stored in the 64-bit data register, 
and then if a last second clock becomes T, the inverse-mixcolumn-transformed 
upper 64-bit data is stored as upper 64-bit data of the 128-bit data register, and 
the inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit 
data of the 128-bit data register. 

[12] The apparatus as claimed in claim 2, wherein the round key generation unit 
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comprises: 

a 128-bit prekey register for storing the 128-bit input key inputted through the 
bus as a prekey for transforming the 128-bit input key into the 128-bit round key 
RK for encryption or decryption, and storing the 128-bit round key RK generated 
after each round operation as a prekey for generating a round key RK used in a 
next round operation; 

a 128-bit key register for storing the 128-bit round key RK for encryption or 
decryption for each round operation; 

a constant storage unit for storing constant values Rcon determined according to 
the order of the round indicated by the round number signal inputted from the 
round operation control unit; 

a second multiplexer for being controlled according to the value of the mode 
signal inputted through the bus, and selecting and outputting one of 32-bit keys 
for encryption or decryption inputted from the 128-bit prekey register and the 
128-bit round key register; 

a shifter for performing a cyclic shift of the 32-bit key inputted through the 
second multiplexer to the left by one byte; 

a substitution transform unit, composed of substitution boxes (S-boxes) for 
performing a substitution operation, for performing the substitution of the 32-bit 
key shifted by the shifter; 

a first XOR gate for performing an XOR operation of the most significant byte 
of the 32-bit key outputted from the substitution transform unit with the constant 
vaiie stored in the constant storage unit; and 

a round XOR operation unit for newly generating the 128-bit round key RK for 
encryption or decryption to be stored in the 128-bit round key register for each 
round of the round operation by performing an XOR operation using a 32-bit 
value obtained by adding output bits of the first XOR gate to the remaining 24 
bits except for the most significant byte of the substitution transform unit, the 
128-bit prekey of the previous round stored in the 128-bit prekey register 111, 
and the 128-bit round key RK of the new round stored in the 128-bit round key 
register. 

The apparatus as claimed in claim 12, wherein if the four-clock round operation 
start signal is inputted from the round operation control unit to the round 
operation unit, the round XOR operation unit of the round key generation unit 
generates the encryption round key in a period of four clocks; and 
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wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key RKO of 
the 128-bit round key for encryption or decryption of the new round by 
performing an XOR operation of the 32-bit value obtained by adding the output 
bits of the first XOR gate to the remaining 24 bits except for the most significant 
byte of the substitution transform unit, with the most significant 32-bit value 
PKO of the 128-bit round key of the previous round, if the first clock of the 
encryption round operation start signal becomes T; 

a third XOR gate for generating a 32-bit (i.e., 95* bit to 64 th bit) round key RK1 
of the 128-bit round key for encryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127* bit to 96* bit) round key RKO 
of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64* bit) 
round key PK1 next to the most significant 32bits of the 128-bit round key of the 
previous round, and generating the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 
of the 128-bit round key for decryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key PKO 
of the 128-bit round key of the previous round with the 32-bit (i.e., 95 th bit to 64* 
bit) round key PK1 next to the most significant 32bits, if the second clock of the 
encryption round operation start signal becomes T; 

a third multiplexer for being controlled according to the value of the mode signal 
inputted through the bus, and selectively determining input signals of the third 
XOR gate; 

a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round key 
RK2 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 of the 
128-bit round key of the new round with a 32-bit (i.e., 63* bit to 32 nd bit) round 
key PK2 of the 128-bit round key of the previous round, and generating a 32-bit 
(i.e., 63* bit to 32 nd bit) round key RK2 of the 128-bit round key for decryption 
of the new round by performing an XOR operation of the 32-bit (i.e., 95 th bit to 
64 th bit) round key PK1 of the 128-bit round key of the previous round with the 
next 32-bit (i.e., 63 ri bit to 32 nd bit) round key PK2, if the third clock of the 
encryption round operation start signal becomes T; 

a fourth multiplexer for being is controlled according to the value of the mode 
signal inputted through the bus, and selectively determining input signals of the 
fourth XOR gate; 



WO 2004/112309 37 



PCT/KR2004/001296 



a fifth XOR gate for generating a 32-bit (i.e., 31 s * bit to 0* bit) round key RK3 of 
the 128-bit round key for encryption of the new round by performing an XOR 
operation of the 32-bit (i.e., 63* bit to 32 nd bit) round key RK2 of the 128-bit 
round key of the new round with a 32-bit (i.e., 3 1 st bit to 0* bit) round key PK3 
of the 128-bit round key of the previous round, and generating a 32-bit (i.e., 31 st 
bit to 0 th bit) round key RK3 of the 128-bit round key for decryption of the new 
round by performing an XOR operation of the 32-bit (i.e., 63 rd bit to 32 nd bit) 
round key PK2 of the 1 28-bit round key of the previous round with the next 
32-bit (i.e., 3 I s ' bit to 0 th bit) round key PK3, if the fourth clock of the encryption 
round operation start signal becomes '1'; and 

a fifth multiplexer for being controlled according to the value of the mode signal 
inputted through the bus, and selectively determining input signals of the fifth 
XOR gate. 

[14] The apparatus as claimed in claim 12, wherein if the three-clock round operation 

start signal is inputted from the round operation control unit to the round 
operation unit, the round XOR operation unit of the round key generation unit 
generates the encryption round key in a period of two clocks; and 
wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key RKO of 
the 128-bit round key for encryption or decryption of the new round by 
performing an XOR operation of the 32-bit value obtained by adding the output 
bits of the first XOR gate to the remaining 24 bits except for the most significant 
byte of the substitution transform unit, with the most significant 32-bit value 
PKO of the 128-bit round key of the previous round, if the first clock of the 
encryption round operation start signal becomes '1' ; 

a third XOR gate for generating a 32-bit (i.e., 95*" bit to 64* bit) round key RK1 
of the 128-bit round key for encryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bit to 96* bit) round key RKO 
of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64* bit) 
round key PK1 next to the most significant 32bits of the 128-bit round key of the 
previous round, and generating the 32-bit (i.e., 95* bit to 64 th bit) round key RK1 
of the 128-bit round key for decryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 u> bit to 96 th bit) round key PKO 
of the 128-bit round key of the previous round with the 32-bit (i.e., 95'" bit to 64* 
bit) round key PK1 next to the most significant 32bits, if the second clock of the 
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encryption round operation start signal becomes T ; 

a third multiplexer for being controlled according to 'the value of the mode signal 
inputted through the bus, and selectively determining input signals of the third 
XOR gate; 

a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round key 
RK2 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of a resultant value 
(RKO © PK1), 

which is obtained by the third XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 bit to 96* bit) round key RKO of the 128-bit round key of the 
new round with the 32-bit (i.e., 95* bit to 64* bit) round key PK1 next to the 
most significant 32 bits of the 128-bit round key of the previous round, with the 
32-bit (i.e., 63 bit to 32 nd bit) round key PK2 of the previous round, and 
generating a 32-bit (i.e., 63* bit to 32 nd bit) round key RK2 of the 128-bit round 
key for decryption of the new round by performing an XOR operation of the 
32-bit (i.e., 95* bit to 64* bit) round key PK1 of the 128-bit round key of the 
previous round with the next 32-bit (i.e., 63"* bit to 32 nd bit) round key PK2 if 
the second clock of the encryption round operation start signal becomes T ■ 
a fourth multiplexer for being is controlled according to the value of the mode 
signal inputted through the bus, and selectively determining input signals of the 
fourth XOR gate; 

a fifth XOR gate for generating a 32-bit (i.e., 31 s ' bit to 0* bit) round key RK3 of 
the 128-bit round key for encryption of the new round by performing an XOR 
operation of the resultant valie 
(RKO © PK1), 

which is obtained by the fourth XOR gate's XOR operation of the most 
significant 32-bit (i.e., 127* bit to 96* bit) round key RKO of the 128-bit round 
key of the new round that has been XORed by the third XOR gate with the 32-bit 
d.e., 95 bit to 64 bit) round key PK1 next to the most significant 32 bits of the 
128-bit round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) 
round key PK2 of the previous round to produce a resultant value 
(RKO © PK1 © PK2) 

of XOR operation, and then by performing an XOR operation of the resultant 
valie 
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(RKO ©PKl © PK2) 

with the 32-bit 01 " bit to 0 th bit) round key PK3 of the previous round and 
generating the 32-bit (i.e., 31 s ' bit to 0* bit) round key RK3 of the 128-bit round 
key for decryption of the new round by performing an XOR operation of the 
32-bxt (i.e., 63 bit to 32 nd bit) round key PK2 of the 128-bit round key of the 
previous round with the next 32-bit (i.e., 31 st bit to 0* bit) round key PK3 if the 
second clock of the encryption round operation start signal becomes T • and 
a fifth multiplexer for being controlled according to the value of the mode signal 
inputted through the bus, and selectively determining input signals of the fifth 
XOR gate. 

The apparatus as claimed in claim 12, wherein if the two-clock round operation 
start signal is inputted from the round operation control unit to the round 
operation unit, the round XOR operation unit of the round key generation unit 
generates the encryption round key in a period of one clock; and 
wherein the round XOR operation unit comprises: 

a second XOR gate for generating the most significant 32-bit round key RKO of 
the 128-bit round key for encryption or decryption of the new round by 
performing an XOR operation of the 32-bit value obtained by adding the output 
bus of the first XOR gate to the remaining 24 bits except for the most significant 
byte of the substitution transform unit, with the most significant 32-bit value 
PKO of the 128-bit round key of the previous round, in a state that the 
encryption round operation start signal is inputted and simultaneous, the clock 
becomes '0' ; 

a third XOR gate for generating a 32-bit (i.e., 95 th bit to 64* bit) round key RKl 
of the 128-bit round key for encryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key RKO 
of the 128-bit round key of the new round with a 32-bit (i.e., 95 th bit to 64 th bit) 
round key PKl next to the most significant 32bits of the 128-bit round key of the 
previous round, and generating the 32-bit (i.e., 95 th bit to 64 th bit) round key RKl 
of the 128-bit round key for decryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 th bit to 96 th bit) round key PKO 
of the 128-bit round key of the previous round with the 32-bit (i.e 95 th bit to 64 th 
bit) round key PKl next to the most significant 32bits, if the first clock of the 
encryption round operation start signal becomes T ; 

a third multiplexer for being controlled according to 'the value of the mode signal 
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inputted through the bus, and selectively determining input signals of the third 
XOR gate; 

a fourth XOR gate for generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round key 
RK2 of the 128-bit round key for encryption of the new round by performing an 
XOR operation of a resultant value 
(RKO © PK1), 

which is obtained by the third XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 bit to 96 th bit) round key RKO of the 128-bit round key of the 
new round with the 32-bit (i.e., 95* bit to 64* bit) round key PK1 next to the 
most significant 32 bits of the 128-bit round key of the previous round, with the 
32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the previous round, and 
generating a 32-bit (i.e., 63 rd bit to 32 nd bit) round key RK2 of the 128-bit round 
key for decryption of the new round by performing an XOR operation of the 
32-bit (i.e., 95 th bit to 64* bit) round key PK1 of the 128-bit round key of the 
previous round with the next 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2, if 
the first clock of the encryption round operation start signal becomes T ; 
a fourth multiplexer for being is controlled according to the vaiie of the mode 
signal inputted through the bus, and selectively determining input signals of the 
fourth XOR gate; 

a fifth XOR gate for generating a 32-bit (i.e., 31 s ' bit to 0* bit) round key RK3 of 
the 128-bit round key for encryption of the new round by performing an XOR 
operation of the resultant vaiie 
(RKO © PK1), 

which is obtained by the fourth XOR gate's XOR operation of the most 
significant 32-bit (i.e., 127 th bit to 96* bit) round key RKO of the 128-bit round 
key of the new round that has been XORed by the third XOR gate with the 32-bit 
d.e., 95 bit to 64 th bit) round key PK1 next to the most significant 32 bits of the 
128-bit round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) 
round key PK2 of the previous round to produce a resultant vaiie 
(RKO © PK1 © PK2) 

of XOR operation, and then by performing an XOR operation of the resultant 
vaiie 

(RKO 0 PKl © PK2) 

with the 32-bit (31 * bit to 0 th bit) round key PK3 of the previous round, and 
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generaung the 32-bi, (i. e .. 3." bi. ,o 0* bil, round key RK3 of die 128-bU round 
key for decryption of the new round b y performing an XOR operation of tile 
32-b,, (l .e.,63 b,.,o32 bit) round key PK2 of the 128-bit round key of the 
pievious round with die next 32-bit (i.e., 31« bi, to 0* bit) round key PK3, if die 
fet dock of die encryption round operation star, signal becomes T • and 
a fifth mmipmxer for being controlled according ,o me valte of me mode signal 
mputied through the bus, and selectively determining inpu, signals of me fifth 
XOR gate. 

A rijndael block encryption method comprising the steps of- 
if a four-clock round operation s,an signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation star, signal and a mode 5 ig„al are inputied mrough a bus, a round key 
generation uni, of a round operation uni, transforming a 128-bi, inpu, key into a 
128-b.t round key for encryption in accordance with a value of the mode signal 
inputted mrough the bus from a time when a firs, dock of me round operafion 

start signal becomes '1', and storing .hp or k;* ^ , 

' onng me 128 " blt r °und key m an internal 128-bit 

round key register; 

if me four-clock round operation star, signal and a bi. selection signa! are 
mputted from the round operation control unit, a shift/inverae-shift row 
tiansform uni, performing a byte-shift of upper 64-bi, dan, of 128-bft input data 
mputted through the bus and outputting the byte-shifted upper 64-bi, data 
mrough a firat mmtfexer when Ute firs, dock becomes T, and a substitution/ 
mverae substitution transform uni. successively performing a substitution of the 
upper 64-bit data, outputting the subs.im.ed upper 64-bi. data to a first de- 
mtttpiexer, and storing the substituted upper 64-bi, date in a 64-bi, da«a register 
when a second clock of die round operation start signal becomes '1', a mix/ ' 
uwerae-mixcoktmn transferor uni, performing a mixcoltmn of the upper 64-bi, 
dan, ou,pu,,ed mrough an encryption ou«pu, terminal of me firs, demuxtfexer 
and stored in me 64-bi, date rogister, outputting me mixcobmn-transformed 
upper 64-bi, date ,o a second demultiplexer, and storing me mixcotumn- 
transformed upper 64-bi, data in the 64-bit data rogister, the shift/ 
mverae-shif,_row tiansform uni, simmaneously performing a byte-shift of ,„wer 
64-b.t data of me 128-bi, inpu, data inputted through the bus and outputting the 
byte-shifted iower 64-bi, date mrough the firs, miti.iexer, and me substimtion/ 
mverae-substimtion tiansform uni, successively performing a substimtion of the 
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lower 64-bit data, outputting the substituted lower 64-bit data to the first de- 
multiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 
128-bit data register; 

when a third clock of the round operation start signal becomes T, an add- 
round-key transform unit performing an addition of the upper 64-bit data 
outputted through an encryption output terminal of the second demultiplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the 
round key generation unit and storing the added upper 64-bit data in upper 64 
bits of the 128-bit data register, and a mix/inverse-mixcolumn transform unit si- 
multaneous performing a mixcolimn of the lower 64-bit data outputted 
through the encryption output terminal of the first demultiplexer and stored in 
the 128-bit data register, outputting the mixcolumn-transformed lower 64-bit 
data to the second demultiplexer, and storing the mixcolumn-transformed lower 
64-bit data in the lower 64 bits of the 128-bit data register; and 
when a fourth clock of the round operation start signal becomes T, the add- 
round-key transform unit performing an addition of the lower 64-bit data 
outputted through the encryption output terminal of the second demultiplexer 
and stored in the 128-bit data register to lower 64-bit round key generated by the 
round key generation unit and storing the added lower 64-bit data in the lower 64 
bits of the 128-bit data register. 
[17] The encryption method as claimed in claim 16, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for encryption in accordance with the vabe of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for encryption is generated in a period of four 
clocks of the round operation start signal 
[18] A rijndael block decryption method comprising the steps of: 

if a four-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for decryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T , and storing the 128-bit round key in an internal 128-bit 
round key register; 
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if the four-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row 
transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit 
input data inputted through the bus and outputting the byte-inverse-shifted upper 
64-bit data through a first multiplexer when the first clock becomes T, and a 
substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted 
upper 64-bit data in a 64-bit data register; 

when a second clock of the round operation start signal becomes T, an add-r 
ound-key transform unit performing an addition of the upper 64-bit data 
outputted through a decryption output terminal of the first demultiplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the 
round key generation unit, outputting the added upper 64-bit data to a third de- 
multiplexer, and storing the added upper 64-bit data in the 64-bit data register 
the shift/inverse-shift_row transform unit simultaneous performing a byte- ' 
inverse-shift of lower 64-bit data of the 128-bit input data inputted through the 
bus, and outputting the byte-inverse-shifted lower 64-bit data through the first 
multiplexer, and the substitution/inverse-substitution transform unit successively 
performing an inverse substitution of the lower 64-bit data, outputting the 
inverse-substituted lower 64-bit data to the first demultiplexer, and storing the 
inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data register- 
when a third clock of the round operation start signal becomes T, a mix/ 
inverse-mixcobmn transform unit performing an inverse mixcolumn of the 
upper 64-bit data outputted through a decryption output terminal of the third de- 
multiplexer and stored in the 64-bit data register, outputting the inverse- 
mixcolumn-transformed upper 64-bit data through a second demultiplexer, and 
storing the inverse-mixcoLmn-transformed upper 64-bit data in upper 64 bits of 
the 128-bit data register, and the add-round-key transform unit simultaneous 
performing an addition of the lower 64-bit data outputted through the decryption 
output terminal of the first demultiplexer and stored in the 128-bit data register to 
lower 64-bit round key generated by the round key generation unit, outputting 
the added lower 64-bit data through the third demultiplexer, and storing the 
added lower 64-bit data in the lower 64 bits of the 128-bit data register and 
when a fourth clock of the round operation start signal becomes T, the mix/ 
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inverse-mixcobmn transform unit performing an inverse mixcolumn of the 
lower 64-bit data outputted through the decryption output terminal of the third 
demultiplexer and stored in the 128-bit data register, outputting the inverse- 
mixcobmn-transformed lower 64-bit data through a second demultiplexer and 
storing the inverse-mixcobmn-transformed lower 64-bit data in the lower 64 bits 
of the 128-bit data register. 

[19] The decryption method as claimed in claim 18, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for decryption in accordance with the value of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for decryption is generated in a period of two 
clocks of the round operation start signal 

[20] A rijndael block encryption method comprising the steps of: 

if a three-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for encryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T, and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the three-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row 
transform unit performing a byte-shift of upper 64-bit data of 128-bit input data 
inputted through the bus and outputting the byte-shifted upper 64-bit data 
through a first multiplexer when the first clock becomes T, and a substitution/ 
inverse-substitution transform unit successively performing a substitution of the 
upper 64-bit data, outputting the substituted upper 64-bit data to a first de- 
multiplexer, and storing the substituted upper 64-bit data in a 64-bit data register- 
when a second clock of the round operation start signal becomes T, a mix/ 
inverse-mixcoiimn transform unit performing a mixcolumn of the upper 64-bit 
data outputted through an encryption output terminal of the first demultiplexer 
and stored in the 64-bit data register, and outputting the mixcolumn-transformed 
upper 64-bit data to a second demultiplexer, an add-round-key transform unit 
successively performing an addition of this upper 64-bit data to an upper 64-bit 
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round key generated by the round key generation unit, and storing the added 
upper 64-bit data in the 64-bit data register, the shift/inver S e-shift_row transform 
unit simultaneous performing a byte-shift of lower 64-bit data of the 128-bit 
input data inputted through the bus, and outputting the byte-shifted lower 64-bit 
data through the first multiplexer, and the substitution/inverse-substitution 
transform unit successively performing a substitution of the lower 64-bit data, 
outputting the substituted lower 64-bit data to the first demultiplexer, and storing 
the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; and 
when a third clock of the round operation start signal becomes T, storing the 
64-bit data added and then stored in the 64-bit data register in upper 64 bits of 
the 128-bit data register, the mix/inverse-mixcolumn transform unit simul- 
taneously performing a mixcolumn of the lower 64-bit data outputted through the 
encryption output terminal of the first demultiplexer and stored in the 128-bit 
data register, and outputting the mixcobmn-transformed lower 64-bit data to the 
second demultiplexer, and the add-round-key transform unit successively 
performing an addition of the lower 64-bit data to lower 64-bit round key 
generated by the round key generation unit, and storing the added lower 64-bit 
data in the lower 64 bits of the 128-bit data register. 
[21] The encryption method as claimed in claim 20, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for encryption in accordance with the vabe of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for encryption is generated in a period of two 
clocks of the round operation start signal 
[22] A rijndael block decryption method comprising the steps of: 

if a three-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for decryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T, and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the three-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row 
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transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit 
input data inputted through the bus, and outputting the byte-inverse-shifted upper 
64-b,t data through a first multiplexer when the first clock becomes T and a 
substitution/inverse-substitution transform unit successively performing an 
inverse substitution of the upper 64-bit data, outputting the inverse-substituted 
upper 64-bit data to a first demultiplexer, and storing the inverse-substituted 
upper 64-bit data in a 64-bit data register; 

when a second clock of the round operation start signal becomes T, an add- 
round-key transform unit performing an addition of the upper 64-bit data 
outputted through a decryption output terminal of the first demuMplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the 
round key generation unit, and outputting the added upper 64-bit data to a third 
demurer, a mix/inverse-mixcolumn transform unit successively performing 
an mverse mixcobmn of the added upper 64-bit data, outputting the inverse- 
mixcobmn-transformed upper 64-bit data through a second demultiplexer and 
stonng the inverse-mixcobmn-transformed upper 64-bit data in the 64-bi't data 
register, the shiMnverse-shift.row transform unit simuttaneoudy performing a 
byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through 
the bus, and outputting the byte-inverse-shifted lower 64-bit data through the 
first multiplexer, and the substitution/inverse-substitution transform unit suc- 
cessively performing an inverse substitution of the lower 64-bit data, outputting 
the inverse-substituted lower 64-bit data to the first demultiplexer, and storing 
the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data 
register; and 

when a third clock of the round operation start signal becomes T, the add- 
round-key transform unit performing an addition of the lower 64-bit data outp 
utted through the decryption output terminal of the first demultiplexer and stored 
in the 128-bit data register to lower 64-bit round key generated by the round key 
generation unit and outputting the added lower 64-bit data to the third de- 
multiplexer, the mix/inverse-mixcolimn transform unit successively performing 
an inverse mixcolumn of the added lower 64-bit data, outputting the inverse- 
mixcoiimn-transformed lower 64-bit data through a second demuMplexer and 
storing the inverse-mixcoLmn-transformed lower 64-bit data in the lower 64 bits 
of the 128-bit data register, and simultaneous storing the upper 64-bit data 
stored in the 64-bit data register in upper 64 bits of the 128-bit data register 
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[23] The decryption method as claimed in claim 22, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for decryption in accordance with the value of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for decryption is generated in a period of two 
clocks of the round operation start signal 

[24] A rijndael block encryption method comprising the steps of: 

if a two-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for encryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T , and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the two-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row 
transform unit performing a byte-shift of upper 64-bit data of 128-bit input data 
inputted through the bus and outputting the byte-shifted upper 64-bit data 
through a first multiplexer when the first clock becomes T , a substitution/ 
inverse-substitution transform unit successively performing a substitution of the 
upper 64-bit data, and outputting the substituted upper 64-bit data through a first 
demultiplexer, a mix/inverse-mixcolumn transform unit performing a mixcolumn 
of the upper 64-bit data outputted through an encryption output terminal of the 
first demultiplexer, and outputting the mixcolumn-transformed upper 64-bit data 
to a second demultiplexer, and an add-round-key transform unit successively 
performing an addition of this upper 64-bit data to an upper 64-bit round key 
generated by the round key generation unit, and storing the added upper 64-bit 
data in a 64-bit data register; and 

when a second clock of the round operation start signal becomes T , the shift/ 
inverse-shift_row transform unit performing a byte-shift of lower 64-bit data of 
the 128-bit input data inputted through the bus and outputting the byte-shifted 
lower 64-bit data through the first multiplexer, and the substitution/ 
inverse-substitution transform unit successively performing a substitution of the 
lower 64-bit data, and outputting the substituted lower 64-bit data to the first de- 
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multiplexer, the mix/inverse-mixcobmn transform unit successively performing 
a mixcolumn of the lower 64-bit data, and outputting the mixcolumn- 
transformed lower 64-bit data to the second demultiplexer, the add-round-key 
d-ansform unit successively performing an addition of this lower 64-bit data to 
lower 64-bit round key generated by the round key generation unit, and storing 
the added lower 64-bit data in lower 64 bits of a 128-bit data register, and simul- 
taneously storing the upper 64-bit data stored in the 64-bit data register in upper 
64 bits of the 128-bit data register. 

[25] The encryption method as claimed in claim 24, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for encryption in accordance with the value of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for encryption is generated in a period of one 
clock of the round operation start signal 

[26] A rijndael block decryption method comprising the steps of: 

if a two-clock round operation start signal and a round number signal are 
inputted from a round operation control unit after an encryption or decryption 
operation start signal and a mode signal are inputted through a bus, a round key 
generation unit of a round operation unit transforming a 128-bit input key into a 
128-bit round key for decryption in accordance with a value of the mode signal 
inputted through the bus from a time when a first clock of the round operation 
start signal becomes T, and storing the 128-bit round key in an internal 128-bit 
round key register; 

if the two-clock round operation start signal and a bit selection signal are 
inputted from the round operation control unit, a shift/inverse-shift_row 
transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit 
input data inputted through the bus, and outputting the byte-inverse-shifted upper 
64-bit data through a first multiplexer when the first clock becomes T, a sub- 
stitution/inverse-substitution transform unit successively performing an inverse 
substitution of the upper 64-bit data, and outputting the inverse-substituted upper 
64-bit data to a first demultiplexer, an add-round-key transform unit successively 
performing an addition of the upper 64-bit data outputted through a decryption 
output terminal of the first demultiplexer to an upper 64-bit round key generated 
by the round key generation unit, and outputting the added upper 64-bit data to a 
third demultiplexer, and a mix/inverse-mixcolumn transform unit successively 
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performing an inverse mixcobmn of the added upper 64-bit data, outputting the 
inverse-mixcolimn-transformed upper 64-bit data through a second de- 
multiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in 
a 64-bit data register; and 

when a second clock of the round operation start signal becomes T , the shift/ 
inverse-shift_row transform unit performing a byte-inverse-shift of lower 64-bit 
data of the 128-bit input data inputted through the bus and outputting the byte- 
inverse-shifted lower 64-bit data through the first multiplexer, the substitution/ 
inverse-substitution transform unit successively performing an inverse sub- 
stitution of the lower 64-bit data, and outputting the inverse-substituted lower 
64-bit data to the first demultiplexer, the add-round-key transform unit suc- 
cessively performing an addition of the lower 64-bit data outputted through the 
decryption output terminal of the first demultiplexer to a lower 64-bit round key 
generated by the round key generation unit, and outputting the added lower 
64-bit data to the third demultiplexer, the mix/inverse-mixcolimn transform unit 
successively performing an inverse mixcolumn of the added lower 64-bit data, 
outputting the inverse-mixcolumn-transformed lower 64-bit data through a 
second demultiplexer, and storing the inverse-mixcokimn-transformed lower 
64-bit data in lower 64 bits of a 128-bit data register, and simultaneous storing 
the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 
128-bit data register. 

[27] The decryption method as claimed in claim 26, wherein at the step of the round 

key generation unit transforming the 128-bit input key into the 128-bit round key 
for decryption in accordance with the valie of the mode signal inputted through 
the bus, and storing the 128-bit round key in the internal 128-bit round key 
register, the 128-bit round key for decryption is generated in a period of one 
clock of the round operation start signal 



